auth helpers on client

Hello, when using supabase auth helpers, the documentation states that a browser client should be created. after fiddling with that, I have observed that the SUPABASE_URL and the SUPABASE_ANON_KEY are sent to the client. Theoretically, one could track network activity and get these, and in turn use them to create a supbaseClient on their side, to create new users. How can we secure this?